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Abstract 

,.^ ' We present here a generalization of the work done by Rabin and Ben-Or in [RB089|. We give 

li , a protocol for multiparty computation which tolerates any Q^ active adversary structure based on the 

existence of a broadcast channel, secure communication between each pair of participants, and a monotone 

QQ ' span program with multiplication tolerating the structure. The secrecy achieved is unconditional although 

we allow an exponentially small probability of error. This is possible due to a protocol for computing the 
product of t wo values a lready shared by means of a homomorphic commitment scheme which appeared 

P^ I originally in | |CEvdG87t . 
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1 Introduction 
> 

Q ■ 1.1 Multiparty computation 

^^ I Multiparty computation (MPC) is a cryptographic task that allows a network of participants to emulate any 

^ii^ I trusted party protocol. Each player Pi starts with a private input Xi. The players run a protocol to compute 

Qv I some function g{xi, . . . ,a;„). The result of this function can then be revealed publicly or privately to some 

^\ I particular player. The protocol is deemed secure if cheating parties can obtain no more information from 

"^ I running the protocol than they would in the trusted party scenario (in which each player gives Xi to some 

O ' external trusted party who then computes g and sends the result to all the relevant players). Goldreich, 

Micali and Wigderson proved that to accomplish MPC it is sufficient to always have the value of g revealed 
publicly and to assume that g is given by an arithmetic circuit (i.e. addition and multiplication gates) from 
K" to K where K is some finite field. 

The first general solution to this problem was given in |GMW87|. They present a protocol for MPC 



which is secure under the assumptions that trapdoor one-way permutation exists, that the participants 
are restricted to probabilistic polynomial time (computationally bounded) and that the number of cheating 
parties is bounded above by t where t < n/2. In the situation where the participants can only cheat passively 
(i.e. by eavesdropping) they can remove the last assumption. In |BOGW88| and | pCD88 |, the assumption of 



computational boundedness is removed and replaced by the assumption that each pair of players is connected 
by an authenticated secure channel. In this (non-computational) model they prove that MPC is possible 
with active adversaries if and only if t < n/3 and with passive adveraries if and only if i < n/2. 

These results were extended in [ RB089|] to the scenario in which a reliable broadcast channel is also 



available. In that case active and passive cheaters can be tolerated if and only if t < n/2. However, to attain 
these bounds an e xponent ially small probability of error was introduced. 

The result of | RB089|| was first extended to more general adversary structures by Hirt and Maurer in 



|EIM97]. However, maintaining an exponentially small probability of error entailed a superpolynomial loss 



of efficiency. 
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We present a more efficient version of an extension of the [[IB089| protocol using monotone span pro- 
grams, following the ideas of [ CDM98[ [^ The relevant definitions as well as a precise statement of our results 
are presented in the remainder of this section. 



1.2 Adversary structures and monotone functions 

Given a set of players P, an adversary structure A over P is a set of subsets of players which is downward- 
closed under inclusion: 

{B eA and B' CB) =^ B' e A. 

Normally such a structure is used to represent the collection of all coalitions of players which a given protocol 
can tolerate without losing security: as long as the set of cheating players is in A, the cheaters cannot breach 
the security of the protocol. 



Classically, protocols such as those of |RB089 have tolerated threshold structures, which are of the form 
A = {B C P : |B| < i} for some t. However, |HM97| extends several of these results to more general 
structures, using the following definition: 

Definition 1 An adversary structure A over P is said to be Q^ if no k sets in A add up to the whole set 
P, that is 

^Bi,B2,...,BkeA: BiUB2U---UBk^P. 



Hirt and Maurer (|IM97|1) extended the results of HBOCWSSJ |RB089| (see section |L1D which held for 
t < n/3 and t < n/2 to Q^ and Q^ structures respectively. 



1.2.1 Monotone functions 

Definition 2 For a partial order < on sets A and B , we say that a function f : A —> B is monotone if 

for x,y d A we have 

x<y =^ f{x) < f{y) 

We can define a partial order on {0, 1}" by the rule "x < y iff each coordinate of x is smaller than the 
corresponding coordinate of y." Then a function / : {0, 1}" -^ {0, 1} is monotone if 



X < y 



./(x) < /(y). 



By identifying {0,1}" with p({l, . . . ,ri}), the relation < on {0,1}" corresponds to inclusion (C) in 
p({l, . . . , n}). Then a monotone function / corresponds to a function from p({l, . . . , n}) to {0, 1} such that 
A<ZB=^ f{A) < f{B). 

A monotone function / naturally defines an adversary structure Af = {B C P : f{B) = 0}. 

Given an adversary structure A and a monotone function /, we say / rejects A if f{B) = for all B £ A, 
that is if ^ C ^y . 

With t hese defi nitions in hand we can state the complexity of the Hirt-Maurer protocols: their general- 
ization of |RB089 runs in time m'-'('°s'°s'"), where m is the size of the smallest monotone formula consisting 
of majority-accepting gates which rejects the adversary structure A. 



1.3 Monotone span programs 

Span programs were introduced as a model of computatio n in |KW93| . They were first used as a tool for 



multiparty computation by Gramer, Damgard and Maurer GDM98 |. In this section we define the concepts 
related to monotone span programs relevant to this paper. 

Definition 3 A monotone span program (MSP) over a set P is a triple {K, M, ip) where K is a finite 
field, AI is a d X e matrix over K and tjj : {1, . . . , d} -^ P is a surjective function. 



^Results similar to those in this article have been found independently in [CDD 



The MSP associates to each subset B C P a, subset of the rows of M: the set of rows I such that 
tp{l) £ B. This corresponds to a Hnear subspace of K'^ (the span of those rows). The monotone function 
/ : p{P) -^ {0,1} defined by a MSP is given by the rule f{B) = 1 if and only if the "target vector" 
e — (1, 0, 0, . . . , 0) is in the subspace associated with B. If we denote by Mb the submatrix of M formed of 
the rows / such that tp(l) G B then we get that 



f{B) = 1 



e e Im{Ml). 



Given a MSP computing /, there is a secret sharing scheme which tolerates the corresponding adversary 
structure Af. This scheme is explained in section 2.1. 



The definition above is sufficient for "secret sharing" -type protocols such as VSS and for multiparty 
computations in which multiplication in the field is not necessary. For general MPC, however, we need a 
stronger notion. 



Definition 4 ((due to |]CDM9^ )) A MSP {K,M,ip) is said to be vfith multiplication if there exists a 
vector r (called a "recombination vector") such that 

Vb, h' eK" : (r, Mb * Mb') = (e, b * b') 

where e = {1,0, ... ,0), (•, •) is the standard inner product on K"^ and for ^ — [vi, ...,Vd),^ ~ {wi, ...,Wd), 
we have v * w = (wiWi, ..., VdWd). 

In [ CDM9^ it is proved that for any Q^ adversary structure A, one can construct a MSP with multiplica- 
tion which rejects A. The MSP can be constructed so it is linear in the size of the smallest majority-accepting 
formula rejecting A. 

Note that a counting argument shows that not all families of Q^ adversary structures over n players (for 
n = 1, 2, . . .) can be rejected by a family of MSP's with size polynomial in n. 

See the open questions in section o for further discussion. 



1.4 Previous work 



This work follows the initiative of Cramer, Damgard and Maurer in |CDM98| for adapting existing threshold 
protocols to ge neral adve r sary stru ctures using monotone span programs. In that paper the results of 
[|GMW87i and JBOCWSSl |CCD8S| were adapted to Q^ and Q^ structures respectively. We state their 
genralization of iBOGWSq , |CCD8^ : 



Theorem 1 Let A be a Q"^ adversary structure and it some multi-party protocol agreed upon n players. 
Let (K, M, ip) be a MSP with nuiltiplication rejecting A and suppose tt can be implemented in s steps with 
operations over K . 

Then there is a protocol for vr tolerating A which is information-theoretically secure and which has com- 
plexity polynomial in log\K\, s and the .size of M . 



1.5 This article 



In this paper we adapt the results of | RB089[ to Q^ structures with information-theoretic security. As 
mentioned above, this had already been done by Hirt and Maurer in |IIM97| without using MSP's. However, 
their protocol ran in time rn*''^'°s'°s™) where m is the size of the smallest monotone formula consisting of 
majority- accepting gates which rejects the adversary structure A. 

Our protocol on the other hand is polynomial in the size of the smallest MSP with multiplication rejecting 
A. Sinc e MSP's with multiplication are at leas t as effi cient as majority-accepting formulae (proved in 
|]CDM98 |), our protocol is more efficient than the | IIM97 | construction. 

The main results are: 

Theorem 2 Let A be a Q^ adversary structure on n players and {K, M, ip) be a MSP rejecting A. Suppose 
a reliable broadcast channel and secure communication between every pair of players is available. 

There is a VSS scheme for n players, tolerating A, which has error probability < 2~^ and which has 
complexity polynomial in log\K\,n,k and the size of M . 



Theorem 3 Let A he a Q^ adversary structure and ir some multi-party protocol agreed upon n players. 
Let (K, M, -0) be a MSP with multiplication rejecting A and suppose tt can be implemented in s steps with 
operations over K . Suppose a reliable broadcast channel and secure communication between every pair of 
players is available. 

Then there is a protocol for it tolerating A which has error probability < 2^^ and which has complexity 
polynomial in log\K\,s,n,k and the size of M. 



Our protocol follows the construction of |RB089|. We first present the basic secret sharing scheme using 
MSP as well as an information checking protocol. We then give a protocol for weak secret sharing which 
we use to build a protocol for verifiable secret sharing. Using these tools we present the protocol for general 



MPC. For our protocol to be efficient, we chang e the pro duct checking protocol of RB089| R. The protocol 



we give is polynomial in log \K\ whereas that of [ |RB089[ is r2(|iirp). We conclude with some open questions 



2 Secret Sharing and Information Checking 

2.1 Secret Sharing 

Given a MSP {K, M, tp), we can define a secret sharing scheme which tolerates the adversary structure Af 



induced by the MSP (see section 1.3). Recall that M is a d x e matrix over the field K and ^ : {1, . . . , d} -^ 
{1, . . . , n} is an arbitrary function. 

Say the dealer has a secret a Cz K. He extends it to an e-rowed vector by adding random field elements 
P2, ■ . ■ , Pe to make a vector a* = {a, p2, ■ . ■ , Pe)- Let a = Ma^ and let aA denote the elements of a with 
indices in A where A C {!,. .. ,d}. Then the dealer gives a/ to player P^(/). In the end, each Pi receives 

From now on this protocol will be referred to as SHARE(Z3, a) where D is the dealer. 

Lemma 4 SHARE is a secret sharing scheme secure against Af. That is, no coalition in Af can learn any 
information about the secret but any set of players not in Af can reconstruct it. 



Proof: See [CDM98|. D 



2.2 Information Checking 



The protocol in this section is based on | RB089 . All computations are done over F = GF{3'^) where k is 
the security parameter. We require that S'' > l-ftTj''. This allows the encoding of any set of shares from the 
secret scharing scheme induced by the MSP {K, M, %p) . 

We will use in the sequel a Guaranteed Information Checking (GIG) protocol: 

Pre: D has already sent LNT his secret s ^ F. 

Post: INT is guaranteed that an honest R {D may be dishonest) will always (i.e with very high probability) 
accept his value for s. Moreover, no information about s is leaked as long as D and INT are honest. 

Protocol: GIG-Generate(i:» -> INT -> R, s) 

1. D makes 2k vectors (y^, 6^, Ci) such that hi Gr F — {0}, yi €r F and Ci = s + biyi. He sends s and 
the yi to INT and sends the check vectors (6i, q) to R. 

2. INT picks a random set / C {1, . . . , 2k} such that |/| = k and broadcasts /. 

3. R broadcasts the check vectors (6^, Ci) with i G /. 

4. D checks whether or not this is indeed what he sent to R. If so, he broadcasts his approval. If 
not, he creates a new triple (y, 6, c) such that c = s + by and b ^ 0. He sends y to INT and 
broadcasts the single check vector (6, c). 



2 



The protocol given here was pubUshed in a different context (computational proofs of knowledge) in |CEvdG87l. We 



independently "discovered" a slightly different version in 1998. 



5. Based on what he has seen, INT "guesses" whether or not R wiU now accept his value. If D 
approved in the previous step then INT decides "YES" if and only if i?'s pairs all agreed with the 
values INT possesses. If D disapproved and created a new check vector, INT outputs "YES" if 
and only li c — s -\-by actually holds. 

6. If INT thinks his value will be accepted by (an honest) R he broadcasts his approval. If not, 
INT asks D to broadcast s. 

Protocol: GIC-Authenticate(/iVr -^ R,s). 

1. INT sends s along with either {j/, : i ^ /} or y (depending on what occurred at step B) to R. 

2. R accepts if any one of the y^'s agrees with her corresponding pair {bi,Ci), or if y agrees with 
(6,c). 

Notice that at the end of GIC-Generate, INT is guaranteed (with high probability) that an honest R 
will accept his value should he send it to R later on. Also notice that if D and INT are honest, no other 
party will gain any information about s (including R). 

Lemma 5 The GIC protocols have error probability less than 2~^ . 



Proof: See [gBOSg. D 



3 Weak Secret Sharing 



This WSS scheme comes (essentially) from [EIB089[ 



Before describing the protocol note that we will refer to the WSS of a value a, by D, as [a]^. A similar 
VSSed value will be denoted [a]^ and a verifiably shared secret belonging to no particular player will be 
written [a]^. 

From now on we will always assume that the MSP being used is Q^, that is we assume that the adversary 
structure Af induced by the MSP is Q^ . 

The WSS scheme is in two parts: the commitment protocol (WSS) and the opening protocol (WSS- 
OPEN). 

Pre: The dealer D has a secret a £ K . 
Post: D has shared a such that cither 

• The shares the honest players hold are consistent with a single value which D can reveal, or 

• The shares are inconsistent and D will always be caught and disqualified during the WSS-OPEN 
protocol. 

Moreover, an honest D will never be disqualified. 

Protocol: WSS(D,a) 

1. SHARE (£!,&) 

2. For every i ^ j: GIC-Generate(_D — > P; -^ Pj, a^-i(i)). 

Notice this protocol guarantees Pi that at some later time he can transmit his share to Pj and she will 
be convinced that D indeed gave him a^-i/^y 

Based on this protocol we can define a weakly shared value to be a value a which a dealer D has shared 
(not necessarily correctly) such that GIC has been run for every pair (P^, Pj) with i ^ j. 
We now give the opening protocol. 

Pre: a is weakly shared by D. 



Post: There is a single value a which D can reveal. All the honest players will output the same value, which 
will be either a or null. They will output null only if D has acted dishonestly in sharing or revealing 
the secret. 

Protocol: WSS-OPEN(D, [a]g') 

1. D broadcasts the vector a* he created during the SHARE protocol. 

2. Each Pi runs GIC- Authenticate with Pj 

(Thus Pj obtains a^-i/^) if Pi is honest and rejects the value if Pi tries to cheat. In the end, an 
honest Pi will have obtained ag where f{9) = 1, so he can reconstruct the secret if the shares of 
honest players are consistant.) 

3. If for any i such that Pj accepted Pi's value there is an inconsistency (i.e. a^-iu-s ^ M^-i/i^a.^) 
then Pj accuses D. 

4. If the set of accusers is not in the adversary structure (i.e. /{{accusers}) = 1) then D is disqual- 
ified. Otherwise his value (that is the first coordinate of a,) is accepted. 

Notice that D's cooperation is essential to opening the commitment and that if need be, D can open his 
WSS only to a single player Pi by having all players send information only to Pi. 

Lemma 6 For any MSP whose adversary structure Af is Q^ , the pair of protocols (WSS, WSS-OPEN) is 
an Af-secure weak secret sharing scheme with error probability exponentially small in k. 

3.1 Linear operations on weakly shared values 

It is clear that a WSSed value can be multiplied by any constant A: each INT multiplies his share by A and 
each R multiplies each of his pairs (&, c) by A. Denote such a multiplication by [Xa]^ «— A * [a]^ . 

To add two WSSed values belonging to the same dealer, each player adds his shares of the two secrets to 
obtain his share of their sum. Then do GIC-Generate(Z? -^ Pi -^ Pj,j^-i(^i)) where 7 is the vector of shares 
of the sum. The resuh is a WSS of the sum. Denote this hy [a + b]^ ^ [a]^ + Md- 

Remark: If D does not commit a properly but does commit b properly, he will be caught as a cheater 
if he opens a + b. This yields a simple zero-knowledge proof that a value is correctly committed by WSS. 
Have D pick b at random and commit to b and then use the preceding protocol to obtain [a -|- 6]J^. Then 
flip a coin and have him either open 6 or a + 6 depending on the outcome. If he was badly comitted to a he 
will be caught with probability 1/2. Repeat the protocol k times to get exponentially small probability of 
error. 

4 Verifiable Secret Sharing 

Verifiable secret sharing is a primitive introduced in |pGMA85| . The scheme we give comes essentially from 



|EIB089| 



Pre: The dealer D has a secret a £ K. 

Post: D is committed to a unique value which can be efficiently recovered without his help. Moreover, each 
player has committed to his share by means of a WSS. The shares of all players at the top (VSS) level 
are consistent. The shares of honest players at the lower (WSS) level are consistent. 

Protocol: VSS(Z),a) 

1. SHARE(£),a). 

2. For I = I, ..,d do WSS{P^^i^,ai). 

3. For j ~ 1, .., kn do: 

(a) D chooses c'^-'^ £r K 



(b) SHARE(Z?, c'^-')) (yielding a random vector c*-^ and shares 'y{'' ,. . . ,jf ) 

(c) For I — I, ..,d do: 









4. For J = 1, .., fcn do: 

(a) p. jj^od n ^^P^ ^ ^'^^'^ ^^*i broadcasts the resuh. 

(b) Heads: Let 

• & = c(j) 

• b, == cl^'^ 

• P = 7(^) 
Tails: Let 

• b = a + cf-J') 

• /3 = a + 7(^') 

(c) £> broadcasts b,. 

(d) Each Pi checks if /3^-i(i) = M^-i(j-)b*. If not, Pi accuses D. D must then broadcast all 
information given to Pi, that is a^-i(A and 7J;-i/j) for all j. Pi is removed from the VSS 
protocol (if D does not broadcast the requested information, he is deemed corrupt). 

(e) For I = 1, .., d do WSS-OPEN(P^(;), [A]^) (as long as P,p(i) remains in the protocol). 

If P^(i) gets caught in WSS-OPEN or if the value he reveals is inconsistent with the b, 
broadcasted by D then he is deemed corrupt and is removed from the protocol. All his shares 
of a and of all the c'^^ are then broadcasted by D. 

5. If the set of participants who are removed from the protocol (at any step) is qualified (i.e. not 
in the adversary structure) or if D broadcasts inconsistent information then D is deemed corrupt 
and the VSS is considered failed. Otherwise the VSS is deemed a success. 

Note that as long as no errors occur in the subprotocols, the only way for D to succeed in passing off 
inconsistent shares for a is to correctly guess all the coin flips. Since at least one player is honest at 
least k of the coin flips are fair and so the failure probability is below 2^'^. 

Based on this protocol we can define a verifiably shared value to be a value a such that every player is 
committed to his share of a via WSS. Moreover, the shares of all players at the top level must be consistent 
as must the shares of honest players at the bottom (WSS) level. 

The opening protocol is VSS-OPEN: 

Pre: a is a verifiably shared value. 
Post: All honest players output a. 
Protocol: VSS-OPEN([a]^) 

1. Each player opens his WSS to his share of the secret. 

2. a is reconstructed from any qualified set of players who opened their WSS succesfuUy or whose 
shares had been broadcast in the VSS protocol. 

Notice that no false shares can be contributed since any bad WSS's would have been detected (with 
high probability) in the VSS protocol. Moreover, all honest players will reveal their secret correctly 
and so a qualified set of shares is available for reconstruction. 

Also notice that D's participation is not necessary and that the OPEN protocol works for any verifiably 
shared secret. 



Lemma 7 For any MSP whose adversary structure Af is Q^ , the pair of protocols (VSS, VSS-OPEN) forms 
an A f -secure VSS scheme with error probability exponentially small in k. 

This proves theorem 0. 

4.1 Linear operations on verifiably shared values 

It is possible to perform hnear operations on a verifiably shared value by performing the corresponding 
operations on the shares (committed to via a WSS). In the case of VSS, it is not necssary that the secrets 
being added belong to the same dealer or indeed to anyone at all. 

4.2 Converting WSS to VSS 

A shared value [a\^ can be converted to [a\^ by throwing away the check vector information of the GIC 
protocols and considering the WSS as a simple secret sharing. The VSS protocol can then be started from 
step 2. The cooperation of the dealer is required for converting his WSS to a VSS. 

5 Multi-Party Computation 

The protocol for computing a function g{xi, X2, ■ ■ ■ , Xn) where Xi is the input of Pi follows the basic outline 
of | B0GW8^ , |CCD88 , RB08£]. Before the computation begins, the players decide on an arithmetic circuit 



over K which computes g. Each player commits to his input via a VSS [x^Jp. . The players then evaluate 
the circuit gate by gate to eventually end up with [g{xi,X2, ■ ■ ■ ,Xn)]^ ■ This commitment is then opened 
publicly. 

We already discussed how to achieve a multi-party computation for addition and multiplication by a 
constant, so all that is missing now is a multi-party multiplication protocol. 

5.1 Checking a product 

We start by describing a protocol VSS-C P used b y a dealer to prove that three secrets [a]]^, [b] 



D' L'^JD 



satis fy ab = c . This protocol replaces the [ EIB089 protocol that used the multiplication table of the field K. 
The | RB089 | protocol is insufficient since it runs in time fidXp) whereas we require a protocol polynomial 
in log|A'|. We require this since it may be that the only polynomial sized MSP's for a given adversary 
structure happen to be over large fields (see open questions in sections for further discussion). 



The protocol given here appeared in |CEvdG87, BCDP9C], for commitments based on the discrete loga- 



rithm problem. As it appears here it works for any homomorphic commitment scheme (i.e. one which allows 
addition of secrets). 

Pre: The dealer has [a]Y), [b]]^ and [c]]^ where ab = c. 

Post: Every participant, knowing only shares of [a])^, [6])^ and [c])^, will be convinced (with very small 
probability of error) that ab ~ c. 



Protocol: VSS-CP(i:>, [a]^, [b]]^, [c]^) 

1. Repeat for j = l,...,kn, 

(a) D chooses b' Er K and computes c' = ab' . 
(Jo) D commits himself to b' and c' by computing 
. [b%^YSS{D,b') 



• c 



,'iv 



^^VSS(i^,c') 



(c) The participant Pjmodn Hips a coin: 
i. If Heads: 

• The participants open [b']^. 



• They collectively compute [ab' - c% ^ b' ^ [a\Y, - [c%. 

• They open this commitment and check it is 0. 
If Tails: 

• The participants collectively compute and open [b + fo']^. 

• They collectively compute [a{b + b') - (c + c')]^ ^ (6 + h') * [a]^ - [c% - [c]^. 

• They open this commitment and check it is 0. 



Analysis: If in fact c = a6, the verification in steps l(c)\ and l(c)i'i will always be successful. On the other 



hand, if c 7^ a6, there are two cases. First, if in fact D chose c' = ah' , in step l(c)ii the participants 
would find that c + c' ^ ah + ab' . Second, ii c ^ ab but c' ^ ab' , the verification in step l(c)i would 
fail. The protocol VSS-CP thus provides a proof to each honest player with probability of error less 
then 2~'^. Moreover this proof is zero-knowledge in that the information revealed is never enough to 
reveal any information about c, a or b. 

5.2 The Multiplication protocol 



This protocol is the multiplication protocol for active adversaries in [CDM9S]. It assumes that the MSP 



being used has multiplication (see section 1.3 for details) 



Pre: We have [u]^, [w]^. 

Post: We obtain [mw]^, that is uv is a verifiably shared secret. 

Protocol: MULT([u]^, [v]^) We will denote by /i and i' the vectors that share u and v respectively. 
1. For; = l,..,rfdo 



(see section 4.2 for how to do this). 



For I = 1, ...,d, do: 

Player i-'^(;) computes uji := fxivi 

Jv(0 



h]L) ^vss(p^(,),wO 



. RunVSS-CP(P^(,),[/i4(,),h]^j:(,),N]^(,)), 

so as to prove to everybody that his commited value lui is in fact ^ivi. 

For I = 1, ..,d do 

• Collectively compute 

[uv]^ = n * [wi],^(i) + ■ • • + Td * [wd]^(rf), 

where r = (ri, ..., r^) is th e recombination vector (this is a simple linear combination and can 



be done as in section 4.1 ) 



If at any stage of the computation, a participant is detected as beeing a cheater, he is excluded from 
the protocol. The only problem that may arise is in step 1, since the participation of the dealer is 
necessary to convert a WSS to a VSS. If this ever happens, we simply reset the protocol to the input 
distribution stage, the remaining players open the cheaters' VSSed inputs and then they restart the 
protocol. This will prolong the protocol by a factor of at most n. 

Since uv is now a verifiably shared secret, it can be efficiently opened by the honest players using 
VSS-OPEN. 

Notice the protocol given has no inherent probability of error. Its probability of error is at most the 
sum of the error probabilities of its subprotocols. As each of these has error probability exponentially 
small in k and is executed polynomially many times, the error probability remains exponentially small 
in k. 

This completes the proof of theorem 0. 



6 Open questions 



1. It has not yet been proven whether MSP's with multiplication are super-polynomiaUy more efficient 
than majority accepting circuits (or formulae) for computing max-Q^ functionsFl In |CDM98|, a super- 
polynomial gap has been proved for general MSP's (which don't necessarily have the multiplication 
property). An interesting question is to determine how MSP's with multiplication perform as compared 
to MSP's without multiplication. 

One thing which is known is that schemes based on MSP's with multiplication (or even with strong 
multiplication) are at least as efficient as those based on threshol d form ulae. In particular t his impli es 
that the protocol given here is at least as efficient as the one in | HM97f| . This is proved in ||CDM98 |. 



No resul ts hav e so far b een published which extend threshold results othe r than |GMW87 |, [ BOGW88 |, 
[|CCD88[ and [|RB089| . Although it would seem that the ideas from [ |CDM98[ extend more or less 
directly to many distributed threshold protocols, this is not the case for asynchronous protocols. 

In asynchr onous s ystems, MPC is possible tolerating any active Q^ adversary structure (by extending 
results of [ Bra87 , BKR94 |). However, no polynomial-time protocol currently exists. The bottleneck is 
a primitive from distributed computing known as Byzantine Agreement (BA). Although an efficient 
asynchronous BA protocol exists for threshold structures with t < n/3 (from ]CR93[ |), the proof of 
correctness given there does not carry over to general structures. 

Very few results exist which connect the size of the field used in an MSP to the size of the matrix 
M. Although one can pass from K to a subfield with blowup only quadratic in the degree of the 
extension Cra98| , it is possible that certain functions have polynomial size MSP's which work only 
over unmanageably large prime fields. 



Acknowledgements 

We would like to thank Claude Crepeau for his support and many helpful comments, as well as for suggesting 
this area of study, as well as Ronald Cramer and Ivan Damgard for their comments on the manuscript. 

References 

[ACM88] Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, Chicago, Illi- 
nois, 2-4 May 1988. 

[BCDP90] Joan Boyar, David Chaum, Ivan Damgard, and Torben Pedersen. Convertible undeniable sig- 
natures. In A. J. Menezes and S. A. Vanstone, editors, Advances in Cryptology — CRYPTO '90, 
volume 537, pages 189-205. Springer- Verlag, 1991, 11-15 August 1990. 

[BKR94] Michael Ben-Or, Boaz Kelmer, and Tal Rabin. Asynchronous secure computations with optimal 
resilience (extended abstract). In Proceedings of the Thirteenth Annual ACM Symposium on 
Principles of Distributed Computing, pages 183-192, Los Angeles, California, 14-17 August 
1994. 

[BOGW88] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non- 
cryptographic fault-tolerant distributed computation (extended abstract). In ACM |ACM88|, 
pages 1-10. 

[Bra87] Gabriel Bracha. Asynchronous Byzantine agreement protocols. Information and Computation, 

75(2):130-143, November 1987. 



■^A max-Q adversary structure is one to which no more sets can be added without it losing the Q property. A niax-Q 
function is one whose associated adversary structure Ar is max-Q^ 



10 



[CCD88] 
[CDD+] 
[CDM98] 
[CEvdG87] 



David Chaum, Claude Crepeau, and Ivan Damgard. Multiparty unconditionally secure protocols 
(extended abstract). In ACM | |ACM88[ , pages 11-19. 



Ronald Cramer, Ivan Damgard, Stefan Dziembowski, Martin Hirt, and Tal Rabin, 
multiparty computations with dishonest minority. Submitted to EUROCRYPT '99. 



Efficient 



Ronald Cramer, Ivan Damgard, and Ueli Maurer. Span programs and general multiparty com- 
putation. Preliminary version appeared as BRICS tech. report number BRICS-RS-97-28, 1998. 

David Chaum, Jan-Hendrik Evertse, and Jeroen van de Graaf. An improved protocol for demon- 
strating possession of discrete logarithms and some generalizations. In David Chaum and Wyn L. 
Price, editors. Advances in Cryptology — EUROCRYPT 87, volume 304, pages 127-141. Springer- 
Verlag, 1988, 13-15 April 1987. 

[CGMA85] Benny Chor, Shall Goldwasser, Silvio Micali, and Baruch Awerbuch. Verifiable secret sharing and 
achieving simultaneity in the presence of faults (extended abstract). In 26th Annual Symposium 
on Foundations of Computer Science, pages 383-395, Portland, Oregon, 21-23 October 1985. 
IEEE. 

[CR93] Ran Canetti and Tal Rabin. Fast asynchronous Byzantine agreement with optimal resilience 

(extended abstract). In Proceedings of the Twenty-Fifth Annual ACM Symposium on the Theory 
of Computing, pages 42-51, San Diego, California, 16-18 May 1993. 

[Cra98] Ronald Cramer, August 1998. Personal communication. 

[GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or a com- 
pleteness theorem for protocols with honest majority. In Proceedings of the Nineteenth Annual 
ACM Symposium on Theory of Computing, pages 218-229, New York City, 25-27 May 1987. 

[HM97] M. Hirt and U. Maurer. Complete characterization of adversaries tolerable in general multiparty 

computations. In Proc. ACM PODC'97, pages 25-34, 1997. 

[KW93] M. Karchmer and A. Wigderson. On span programs. In Proceedings of the Eighth Annual 
Structure in Complexity Theory Conference, pages 102-111, San Diego, California, 18-21 May 
1993. IEEE Computer Society Press. 

[RB089] Tal Rabin and Michael Ben-Or. Verifiable secret sharing and multiparty protocols with honest 
majority (extended abstract). In Proceedings of the Twenty First Annual ACM Symposium on 
Theory of Computing, pages 73-85, Seattle, Washington, 15-17 May 1989. 



11 



